Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

9/29/2011
03:56 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Businesses Backsliding On PCI Compliance

Most merchants that achieve compliance then fall out of it the next year, according to new Verizon data

It's been six years since the Payment Card Industry Data Security Standard (PCI DSS) was born, but most organizations worldwide still aren't remaining PCI-compliant year-round.

According to Verizon's newly published 2011 Payment Card Industry Compliance Report, 79 percent of organizations were not fully PCI compliant in their initial PCI audit in 2010, while only 21 percent were. That's about the same as last year's report, according to Verizon.

"Most of the clients in this review had been compliant with us previously or when another QSA" wrote the initial report of compliance, and most weren't new to PCI, says Jen Mack, director of Verizon's global PCI consulting services. "They were not able to maintain it throughout the year. They backslid."

Mack says that trend is likely in part due to other priorities overshadowing PCI throughout the year, but the underlying problem is that many organizations are not focusing on PCI as a year-round, long-term process. "[They] need a programmatic approach to make this easier to maintain ... there's a way to do it."

The organizations were achieving compliance and then at the next initial assessment, basically starting all over again in their rate of compliance. "It's still a good standard and it's not impossible to achieve compliance," Mack says. "The biggest thing in our report this year is that people are not able to or are not making the effort to maintain their compliance throughout the year."

Mack says the key is to fit PCI DSS requirements into a daily routine and to not just look at them as requirements that must be met when the qualified security assessor (QSA) comes knocking.

Verizon's report comes from findings in more than 100 PCI DSS assessments performed by its QSAs last year, and from data gathered by its investigative response group's work on payment card breach investigations. The company also analyzed the PCI data with findings from its 2011 Verizon Data Breach Investigations Report.

Joshua Daymont, principal with Securisea, says some companies are better at maintaining compliance than others. And it also depends on the details of the compliance report: Say a firm is found to have only 30 percent of its client machines running antivirus in an assessment, and then brings those machines into compliance with AV software. "Let's say the assessor comes back the next year and finds they have drifted out with the AV requirement, but only two computers don't have AV: they might be a computer that has not been used in a long time ... or a new computer and there was some process failure. In the report, it would show that they were out of compliance in those items, but the qualitative risk exposure is quite different" this year, he says.

That doesn't excuse noncompliance, he says, but that's an example of how the devil's in the details with assessments.

Verizon's report also found that nearly 90 percent of companies that were hit with breaches were not PCI-compliant. PCI clients scored better than breach victims by a 50 percent margin when it comes to PCI compliance. "...breach victims are less compliant than a normal population of organizations," according to the report. "Though the disparity between the groups fluctuates per requirement, on average, PCI clients scored better than breach victims by a 50 percent margin. So while ‘prove’ may be too strong a word to use in this case, the results do suggest that an organization wishing to avoid breaches is better off pursuing PCI DSS than shunning it altogether."

Even more disconcerting, however, were the areas in which they are slipping the most: in protecting stored cardholder data; tracking and monitoring access; regularly testing systems and processes; and maintaining security policies.

The lack of logging is a big red flag, according to security experts. "This is an outrage. The PCI Data Security Standard is a pretty low bar as far as computer security goes. The fact that companies are having a hard time maintaining compliance with it speaks to the sorry state of data security in the Cloud Age," says Bill Roth, CMO of LogLogic. "Verizon’s report showed that PCI 10, which requires companies to log all activity in the network, is one of the top three standards companies are failing to meet. There’s no excuse for failing to meet this standard. It’s not that hard -- start an appliance, point your logs, done. This is our personal information. Companies need to show their customers more respect and implement decent security."

But the bottom line is that even with PCI compliance, breaches are still occurring. That's because attackers are able to adjust their techniques as companies shore up their defenses, says Securisea's Daymont. "That is likely to go on for some time," he says. "To me, the biggest takeaway here is that PCI has a lot of great requirements, and one is that merchants have to use AV ... but the reality is that many AV solutions today just haven't been able to stop malware threats."

There were some bright spots in the Verizon report as well. Some 78 percent of testing procedures had been met at the time of the initial assessment, and the use of encryption was on the increase, with 72 percent encrypting the transmission of cardholder data over open networks, up from 63 percent last year. Some 83 percent won't accept payment via email now. "In many instances, they are going beyond simply making it a policy and are backing it up with automated filtering at the mail servers that deny any e-mails containing cardholder data," says the Verizon report.

A copy of the full report is available here for download.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Firms Improve Threat Detection but Face Increasingly Disruptive Attacks
Robert Lemos, Contributing Writer,  2/20/2020
Ransomware Damage Hit $11.5B in 2019
Dark Reading Staff 2/20/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-19668
PUBLISHED: 2020-02-27
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2018-17963. Reason: This candidate is a reservation duplicate of CVE-2018-17963. Notes: All CVE users should reference CVE-2018-17963 instead of this candidate. All references and descriptions in this candidate have been removed to preve...
CVE-2019-12882
PUBLISHED: 2020-02-27
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
CVE-2017-6363
PUBLISHED: 2020-02-27
** DISPUTED ** In the GD Graphics Library (aka LibGD) through 2.2.5, there is a heap-based buffer over-read in tiffWriter in gd_tiff.c. NOTE: the vendor says "In my opinion this issue should not have a CVE, since the GD and GD2 formats are documented to be 'obsolete, and should only be used for...
CVE-2017-6371
PUBLISHED: 2020-02-27
Synchronet BBS 3.16c for Windows allows remote attackers to cause a denial of service (service crash) via a long string in the HTTP Referer header.
CVE-2017-5861
PUBLISHED: 2020-02-27
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2017-1000020. Reason: This candidate is a reservation duplicate of CVE-2017-1000020. Notes: All CVE users should reference CVE-2017-1000020 instead of this candidate. All references and descriptions in this candidate have been removed to...